tomcat-dev mailing list archives

Hi,
OK with me. I've one outstanding patch related to fail on status. I
think Ben short is testing today. I wrote mails about it to the user
list and the patch is not committed yet. It's
http://people.apache.org/~rjung/mod_jk-dev/patches/fail-on-status.patch
(in short: fail on status has to be moved to a place a little earlier,
because at the moment headers are set before fail on status. So if we do
a retry and get different headers back, we produce an answer with an
undefined mix of headers. In the users case we set Content-Length from
the failure response, and the retry on another node succeeded with a
chunked encoding ...)
Also there is one outstanding fix concerning nsapi on netware (which now
has an unneeded dependency on shm).
We could review all changes since 1.2.24 (that's not much) and then skip
the quality check phase, instead directly roll an oficial test/vote
tarball. Would tomorrow be OK for that?
Regards,
Rainer
Mladen Turk wrote:
> Hi,
>
> We have a problem with 1.2.24 that luckily is not security leak,
> but it is security related.
>
> The problem is that 401 from Tomcat without body
> (a standard HTTP_UNAUTHORIZED) is treated as 401, meaning
> that Apache is returning 401 page instead passing 401
> to the client.
>
> I already patched the SVN.
> Can we roll 1.2.25?
>
> Regards,
> Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org